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(54) Control and data transmission device and method for transmission of security related data 



(57) The invention concerns a control and data 
transmission installation and a process for the transmis- 
sion of safety-related data in a control and data trans- 
mission installation. 

The object of the invention is to improve existing 
field bus systems, in particular the interbus, from the 
point of view of safety procedures, in such a way that 
there is no need either for additional lines for the trans- 
mission of control signals or redundant, safety-related 



units. 

The invention attains that object in that arranged in 
the master control device (20) and in the bus subscrib- 
ers (30, 40, 50) are respective safety-related devices 
(210; 80) for carrying out predetermined safety func- 
tions, and that the safety-related devices (80; 210) can 
communicate with each other by way of the field bus 
(10). 
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Description 

[0001] The invention concerns a control and data 
transmission installation as set forth in the classifying 
portion of claim 1 and a process for the transmission of 
safety-related data in such an installation as set forth in 
claim 1 1 . 

[0002] For a number of years the automation field has 
increasingly frequently seen the use of field bus sys- 
tems to which input/output devices and a higher-order 
control device are connected. The cabling expenditure 
can be considerably reduced with such field bus sys- 
tems as it is possible to save on copper lines. So that 
the field bus systems do justice to the necessary 
requirements in terms of safety procedures, certain 
safety functions, such as for example a stop function or 
an emergency off function, by which the field bus sys- 
tem can be put into a safe condition, must be imple- 
mented. In the previously known field bus systems the 
transmission of the control signals required for that pur- 
pose is respectively effected by way of parallel individ- 
ual lines, that is to say not by way of the field bus itself. 
Other known approaches involve designing all those 
devices which are to perform safety functions in a suita- 
bly redundant mode. The known technologies suffer 
from the disadvantage that either a high level of redun- 
dant components is required, or individual parallel lines 
are needed for the transmission of the additional control 
signals. 

[0003] The object of the present invention is therefore 
that of so improving the above-indicated control and 
data transmission installation with a serial field bus, that 
the above-specified disadvantages are avoided and the 
flexibility of the installation can be increased, insofar as 
safety-related units which are independent of manufac- 
turer can be integrated in the installation in a simple 
fashion. 

[0004] The invention attains that object on the one 
hand by means of the features of claim 1 . 
[0005] The core notion of the invention is that of pro- 
viding a field bus system with safety functions which for 
example comply with category 3 or 4 respectively of the 
European Standard EN 954-1 (status 1996) and the 
classes of service requirements 4 and 6 respectively in 
accordance with DIN V 19250 (status May 1994). 
[0006] For that purpose there is provided a control and 
data transmission installation have a serial field bus to 
which a master control device and a plurality of bus par- 
ties or subscribers, that is to say for example input/out- 
put devices, are connected. A respective safety-related 
device for the implementation of predetermined safety 
functions is arranged both in the master control device 
and also in the bus subscribers. The term safety-related 
device is used to denote a device which, substantially in 
response to status information in respect of the installa- 
tion, performs predetermined safety functions which 
make it possible for the entire installation, predeter- 
mined units or portions of the installation to reach a safe 



condition. Safety functions include for example a stop 
function which can put the entire installation or given 
parts thereof into a safe condition, as rapidly as neces- 
sary. The emergency off function is also a safety func- 

5 tion, with which the entire system can be put into a safe 
condition. Further safety functions involve for example 
the locking of doors, unintentional re-starting in the fault 
condition of the installation or a predetermined region, 
and other functions as defined for example in the Euro- 

10 pean Standard EN 954-1. Unlike the state of the art 
wherein either redundant components are implemented 
for steps relating to safety procedures, or parallel lines 
are required for the transmission of the necessary con- 
trol signals, the safety-related devices in accordance 

75 with the invention are implemented without redundancy 
in the master control device and in the bus subscribers 
and are capable of communicating with each other by 
way of the field bus itself. 

[0007] Each bus subscriber is connected to the field 

20 bus by way of a bus connecting device. The bus con- 
necting device can have an ASIC-component in which 
the data transmission protocol is implemented. The 
data transmission protocol can be for example the inter- 
bus protocol if an interbus is used as the field bus. The 

25 bus connecting device serves to transmit by way of the 
field field, the safety-related data which are to be 
exchanged between the safety-related devices, in the 
useful data fields of predetermined data frames. If an 
interbus protocol is used, the data frame is a sum frame 

30 in which the useful data of all connected bus subscrib- 
ers are contained. Throughout the description and the 
claims the expression safety-related data is used to 
denote data which represent the safety condition of the 
respective bus subscriber or also the master safety 

35 device. The safety conditions of a bus subscriber are 
detected by monitoring devices, in particular sensors, 
which are associated with the units to be safeguarded 
which are connected to the respective bus subscriber. 
For example a sensor detects the speed of rotation of a 

40 machine. In that case the safety-related data indicate 
whether the speed of rotation of the machine is in the 
tolerance range or has exceeded a critical speed. It is 
possible that the master control device and the bus sub- 
scribers embed the safety-related data to be transmitted 

45 into the useful data fields of the respective bus sub- 
scriber so that the useful data intended for the master 
control device and the safety-related data of the bus 
subscriber can be transmitted in the same bus cycle. In 
addition it is also possible to envisage the safety-related 

so data of a bus subscriber being transmitted in the useful 
data field during a separate bus cycle. 
[0008] In a preferred development the safety-related 
device of each bus subscriber and/or of the master con- 
trol device has at least one input which is connected to 

55 the monitoring device, for example a sensor. The design 
configuration of the safety-related device is such that it 
negates the output signal of the monitoring device and 
produces from the output signal and/or the negated out- 
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put signal thereof an item of check information which 
together represent the items of safety-related informa- 
tion of the respective bus subscriber, which are to be 
transmitted. In that way the degree of installation safety 
can be further increased as, in the event of defective 
transmission of the safety-related data, the correct infor- 
mation can be obtained either from the negated data or 
from the check sum. This procedure makes it possible 
to achieve a bit error probability of 10" 13 . 
[0009] In per se known manner each bus subscriber 
and/or the master control device has at least one output 
which is connected to a device to be safeguarded. As 
already mentioned, the devices to be safeguarded may 
be robots, machines and the like. 
[001 0] In accordance with an advantageous develop- 
ment each output is connected by way of a switch to the 
bus connecting device and directly to the safety-related 
device of the respective bus subscriber and/or the mas- 
ter control device. The safety-related device opens or 
closes the switch in dependence on the output signal of 
the monitoring device associated with a device to be 
safeguarded. In other words, the device to be safe- 
guarded is put into a safe condition, that is to say it is 
disconnected from the installation if a fault has 
occurred. It should already be mentioned at this point 
that the safety function which is to be performed as a 
consequence of a detected fault is effected either by the 
output signal of the respective monitoring device or it is 
triggered by suitable safety-related data which are pro- 
duced by the master control device and which are trans- 
mitted to the safety-related device of the respective bus 
subscriber. 

[001 1 ] In accordance with an advantageous develop- 
ment associated with the master control device is a 
higher-order control unit which can trigger one or more 
predetermined safety functions in dependence on the 
safety-related data of the bus subscribers. Thus for 
example, depending on the nature of the fault ascer- 
tained in a bus subscriber, either the devices to be safe- 
guarded, which are connected to that bus subscriber, on 
their own, predetermined regions of the installation, or 
even the entire installation, can be switched off. 
[001 2] So that the master control device can read the 
safety-related data of the bus subscribers out of the 
data frame, it has a receiving device, an evaluation 
device for evaluation of the received safety-related data, 
and a device which, in response to the evaluated data, 
produces new safety-related data which are intended 
for the respective bus subscriber and which correspond 
to a predetermined safety function. In addition the 
design configuration of the receiving device is such that 
it can receive the safety-related data, the negated data 
thereof, and the items of check information, which are 
formed therefrom, in respect of the respective bus sub- 
scriber, and that the data-producing device can produce 
new safety-related data, the negated data thereof, and a 
new item of check information formed therefrom, and 
can transmit same in the useful data field of a data 



4 

frame to the respective bus subscriber. 
[0013] The object of the invention is also attained by 
the process steps of the process claimed in claim 1 1 for 
the transmission of safety-related data in a control and 
5 data transmission installation. 

[001 4] Advantageous developments are recited in the 
appendant claims. 

[0015] The invention is described in greater detail 
hereinafter by means of an embodiment with reference 
10 to the accompanying drawings in which: 

Figure 1 shows a greatly simplified block circuit dia- 
gram of a control data-transmission installation in 
which the invention is embodied, 
75 Figure 2 shows the block circuit diagrams of two 
bus subscribers as shown in Figure 1 , in which the 
safety-related device according to the invention is 
implemented, 

Figure 3 shows the block circuit diagram of the 
20 master control device shown in Figure 1 , with the 
safety-related device according to the invention, 
and 

Figure 4 shows a data frame by way of example, in 
which safety-related information of a bus subscriber 
25 is contained. 

[0016] Figure 1 shows by way of example an interbus 
system for a control and data transmission installation, 
as is described in the specialist literature "Irrterbus-S, 

30 Grundlagen und Praxis" (translation: "Interbus-S, Prin- 
ciples and Practice"), Huhtig Buchverlag, Heidelberg 
1994, by Alfredo Baginsky et al. Connected to the inter- 
bus 10 are a master control device 20 and three bus 
subscribers 30, 40 and 50. It should be expressly 

35 pointed out that this is an embodiment which is given by 
way of example, while the invention can be applied to 
other field buses and to systems comprising a plurality 
of interconnected field buses. The bus subscriber 30 is 
connected to a per se known protective grid 60 for mon- 

40 itoring machines, robots and the like which are con- 
nected to the bus subscriber 30. 
[0017] Figure 2 shows the bus subscribers 30 and 40 
in greater detail in block circuit diagram form. As the cir- 
cuitry structure of the bus subscribers is substantially 

45 identical, only the structure of the bus subscriber 30 will 
be described in greater detail. The bus subscriber 30 is 
connected to the interbus 1 0 by way of a bus connecting 
device 70. The bus connecting device 70 can have an 
ASIC-component on which the per se known interbus 

so data transmission protocol is implemented. In addition, 
a safety-related circuit arrangement 80 is implemented 
in the bus subscriber 30 and can deal with monitoring 
the bus subscriber 30 in respect of safety procedures, in 
accordance with the invention. The safety functions 

55 which the safety circuit arrangement 80 can perform are 
already defined in various standards. In addition all con- 
ceivable safety functions can be embodied by the 
safety-related circuit arrangement 80. For that purpose 
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the safety-related circuit arrangement 80 has a safety 
component 90 in which a predetermined safety protocol 
which can be known per se is implemented. The safety 
component 90 for example performs regular self-tests in 
conformity with EN 954-1. For that purpose, an output 5 
line 94 is connected to switches 95 and 96 by way of 
which the sensors 100 and 102 respectively are con- 
nected to the inputs 92 and 93. This kind of self-test is 
known per se. The safety component 90 has for exam- 
ple two inputs 92 and 93 which are connected to a sen- 10 
sor 100 and 102 respectively, which are associated with 
devices to be monitored. For example the sensor 100 
monitors the speed of rotation of a lathe 1 10 and the 
sensor 102 monitors a welding robot 120. The protec- 
tive grid 60 shown in Figure 1 can also be connected to 15 
the inputs of the safety component 90. As already 
shown the output of the sensor 100 is connected to the 
input 92 of the safety component 90 and directly to an 
input of the bus connecting device 70. In a similar fash- 
ion, the output of the sensor 102 is connected to the 20 
input 93 of the safety component 90 and directly to an 
input of the bus connecting device 70. The safety com- 
ponent 90 serves to negate the input data coming from 
the sensors 100 and 102, hereinafter referred to as the 
actual safety-related data, and to feed same as safety- 25 
related negated data to the bus connecting device 70. In 
addition the safety component 90 produces an item of 
check information from the negated safety-related data 
and/or from the non-negated safety-related data, and 
that check information is also fed to the bus connecting 30 
device 70. The safety-related data, the negated safety- 
related data and the check information form the safety- 
related information. That arrangement provides for 
improving the safety performance of the interbus sys- 
tem as the level of data transmission safety and security 
is increased. It will be appreciated that it is possible for 
only the safety-related data to be fed to the bus connect- 
ing device 70. It should once again be mentioned that 
the safety-related data involve the actual condition or 
status data of the bus subscriber 30, more specifically 
the condition or status data of the devices 110 and 120 
to be safeguarded, which are connected thereto. The 
bus connecting device 70 produces a conventional data 
frame, in the example of the interbus system a sum 
frame, in which the input data of the connected bus sub- 
scribers 30, 40 and 50, which are to be transmitted to 
the master control device 20, are successively con- 
tained. 

[001 8] Figure 4 shows by way of example an interbus 
sum frame 125 which contains for example a so-called 
loop-back word which the master control device 20 has 
produced. A further field is allocated to the check sum. 
The useful data of the bus subscriber 30. 40 and 50 
respectively are contained in the fields 130, 140 and 
150. The sum frame 125 is transmitted in a bus cycle to 
the master control device 20. Now, in accordance with 
the invention the bus connecting device 70 is to perform 
the function of writing the safety-related items of infor- 



mation of the bus subscriber 30 into the field 130 asso- 
ciated therewith. In our example, the safety-related data 
of the sensors 1 00 and 1 02 are written into the field 1 32, 
the negated safety-related data are written into the field 
134 and the calculated check information is written into 
the field 136. It should be noted that the safety-related 
data in the fields 132, 134 and 136 either occupy the 
entire useful data field 1 30 of the bus subscriber 30 and 
are transmitted in a separate bus cycle, or however they 
only occupy a part of the useful data field 150 and can 
thus be transmitted together with the useful data of the 
bus subscriber 30 in the same bus cycle, to the master 
control device 20. That can provide for more effective 
data transmission. The bus subscribers 30, 40 and 50 
can not only transmit safety-related information to the 
master control device 20 but in opposite relationship 
can also receive safety-related data or information from 
the master control device 20. For that purpose the bus 
connecting device 70 reads out of a useful data field of 
a sum frame, the items of safety-related information 
which are intended lor the bus subscriber 30 and which 
again comprise the actual safety-related data, the 
negated safety-related data and an item of check infor- 
mation, all of which are produced in the master control 
device 20, as will be further described hereinafter. The 
bus connecting device 70 has for example two outputs 
72, 73. The lathe 1 10 is connected to the output 72 by 
way of a switch 170 and the welding robot 120 is con- 
nected to the output 73 by way of a switch 1 80. If neces- 
sary the lathe 110 and the welding robot 120 can be 
separated from the interbus system by way of the 
switches 170 and 180. In particular control data and 
process and parameter data can be transmitted to the 
lathe 110 and the welding robot 120 or parameter and 
process data can be transmitted from same to the bus 
connecting device, by way of the switches 1 70 and 180. 
The outputs of the switches 170 and 180 are connected 
to the safety component 90. The bus connecting device 
70 is also connected to the safety component 90 in 
order to supply same with the items of safety-related 
information received from the master control device 20. 
The safety-related data received from the master con- 
trol device 20 correspond to predetermined safety func- 
tions which are performed by the safety component 90. 
For that purpose the safety component 90 is also con- 
nected to the switches 170 and 180. The safety compo- 
nent 90 receives from the bus connecting device 70 the 
safety-related data coming from the master control 
device 20, negated safety-related data and the check 
information which it requires to ascertain the appropri- 
ate safety function. For example, the safety component 
90 interprets the safety-related data coming from the 
master control device 20, to the effect that the speed of 
rotation of the lathe 110 has exceeded a critical value 
and that for example a person has moved into the safety 
region of the welding robot. Thereupon a predetermined 
safety function is triggered, which causes the switches 
1 70 and 1 80 to be opened so that the lathe 1 1 0 and the 
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welding robot 120 can be disconnected from the inter- 
bus 10. The level of safety and security of the system is 
further improved with the feedback of the outputs of the 
switches 1 70 and 1 80 to the safety component 90. Thus 
it is possible for the safety-related information coming 
from the master control device 20 to be falsified in such 
a way that they reflect a fault-free condition. In actual 
fact however faults have occurred in the lathe 110 and 
the welding robot 120. Due to the fed-back outputs of 
the switches 170 and 180, the safety component 90 is 
capable of comparing the actual condition or status val- 
ues with the safety-related information received from 
the master control device 20, and opening the switches 
1 70 and 1 80 or keeping them open, if the data are not in 
conformity with each other. 

[0019] The safety component 90 can include further 
steps and measures in conformity with EN 954-1, such 
as for example the above-mentioned self-test which is 
regularly carried out and a timer which for example 
opens the switches 1 70 and 180 after 40 ms in order to 
switch the lathe 1 10 and the welding robot 120 into a 
safe condition if no valid safety-related data have been 
recognised. 

[0020] Figure 3 shows a block circuit diagram of the 
master control device 20 shown in Figure 1. It will be 
appreciated that only the features that are essential fea- 
tures of the invention are illustrated herein. The master 
control device 20 includes a higher-order control unit 
200, the function of which will be described in greater 
detail hereinafter. In addition a safety-related circuit 
arrangement 210 is implemented in the master control 
device 20. Furthermore the master control device 20 
has a receiving device (not shown) which can read the 
safety-related information of the bus subscribers30, 40 
and 50 out of the useful data fields of a received sum 
frame, for example the sum frame 125 shown in Figure 
4. The safety-related data of the subscriber 30, which 
are transmitted in the useful data field 130, are consid- 
ered by way of example. The receiving device feeds the 
actual safety-related data which are contained in the 
sub-field 132 to a first check circuit 220. The negated 
safety-related data contained in the sub-field 134 are 
fed to a second check circuit 225. The check information 
transmitted in the sub-field 136 is fed both to the check 
circuit 220 and also to the check circuit 225. The check 
circuits 220 and 225 evaluate the received data. The 
check circuit 220 which processes the actual safety- 
related data is connected to a logic circuit 230 and feeds 
its output data to the higher-order control unit 200 while 
the check circuit 225 is connected on its output side to a 
logic circuit 235. In response to the output signal of the 
check circuit 220 the higher-order control unit 200 pro- 
duces a control signal which is dependent on the safety- 
related data of the bus subscriber 30 and which is fed to 
the logic circuit 230 and the logic circuit 235. From the 
output signal of the check circuit 225 and the control sig- 
nal of the higher-order control device 200, the logic cir- 
cuit 235 produces the actual safety-related data which 



are intended for the bus subscriber 30. From the control 
signal of the higher-order control unit 200 and the output 
data of the check circuit 220, the logic circuit 230 ascer- 
tains an output signal which is fed to a circuit 240 which 

5 supplies an output signal corresponding to the negated 
safety-related data of the logic circuit 235. The circuit 
240 also produces either an item of check information 
from the negated safety-related data and/or from the 
actual safety-related data. The actual safety-related 

w data, the negated safety-related data and the item of 
check information, which are sumrnarisingly referred to 
as safety-related information, are again written by the 
safety-related circuit arrangement 210 into the useful 
data field of a sum frame which is intended for the bus 

75 subscriber 30. The master control device 20 is also 
capable of processing the items of safety-related infor- 
mation of all connected bus subscribers 30, 40 and 50 
in that way and writing them into the corresponding use- 
ful data fields of a sum frame. 

20 [0021] Under the control of the higher-order control 
unit 200, during each bus cycle or in predetermined bus 
cycles, the safety-related circuit arrangement 210 of the 
master control device 200 can transmit predetermined, 
that is to say clearly defined, items of safety-related 

25 information in the useful data fields of a sum frame, 
which are associated with the bus subscribers 30, 40 
and 50. to the bus subscribers 30, 40 and 50. The 
safety-related devices 80 of the bus subscribers 30, 40 
and 50 are of such a configuration that, in response to 

30 the actual condition of the respective bus subscriber or 
the condition of the input/output devices connected to 
the bus subscriber, they can return the received prede- 
termined safety-related data to the master control 
device 20, in a changed or unchanged state. The mas- 

35 ter control device 20 compares the bus subscriber-spe- 
cific, safety-related information received in the useful 
data fields of the sum frame, to the predetermined 
safety-related information. If the items of safety-related 
information are the same, no safety functions are trig- 

40 gered. If of course the received safety-related informa- 
tion does not coincide with the predetermined safety- 
related information, then, under the control of the 
higher-order control unit 200. the safety-related circuit 
arrangement 210 can immediately produce suitable 

45 items of safety-related information which correspond to 
corresponding safety functions. Those items of safety- 
related information are either used by the safety-related 
circuit arrangement 210 of the master control device 20 
in order for example to trigger off an emergency off 

so function which puts the entire system into a safe condi- 
tion. On the other hand, it is possible that those items of 
safety-related information are transmitted to the con- 
nected bus subscribers 30, 40 and 50 whose safety- 
related arrangements 70 trigger the respective safety 

55 functions, in response to the received items of safety- 
related information. In order to improve the level of 
safety and security of the entire system, the predeter- 
mined safety-related information can be transmitted a 
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second time to the bus subscribers 30, 40 and 50 which 4. 
then again, in dependence on their condition or state, 
send those items of predetermined safety-related infor- 
mation back to the master control device 20, in a 
changed or unchanged state. 5 
[0022] By virtue of the invention with which the safety 
measures are implemented on the one hand in the mas- 5. 
ter control device 20 and on the other hand in each bus 
subscriber 30, 40 and 50 respectively, wherein the 
safety-related data or items of information are transmit- 10 
ted in the useful data fields of the interbus sum frame, it 
is possible for the system to be enlarged at any time 
with manufacturer-independent structural units, and for 
the application which is being carried into effect in the 
higher-order control unit 200 to be altered, without the is 6. 
functions in terms of safety procedures being adversely 
affected thereby. 

Claims 

20 

1 . A control and data transmission installation includ- 7. 
ing a serial field bus (10) to which a master control 
device (20) and a plurality of bus subscribers (30, 

40, 50) are connected. 

characterised in that 25 

a respective safety-related device (210; 80) for 
carrying out predetermined safety functions is 
arranged in the master control device (20) and 
in the bus subscribers (30, 40, 50), and 30 
the safety-related devices (210; 80) can com- 
municate with each other by way of the field 
bus (10). 

8. 

2. A control and data transmission installation accord- 35 
ing to claim 1 characterised in that each bus sub- 
scriber (30, 40, 50) is connected to the field bus 
(10) by way of a bus connecting device (70), 
wherein the bus connecting devices (70) transmit 
the safety-related data which are to be exchanged 40 
between the safety-related devices (80; 210) and 
which represent the safety condition of the respec- 
tive bus subscriber (30, 40, 50) by way of the field 9. 
bus (10) in the useful data fields (130, 140, 150) of 
predetermined data frames (125). <5 

3. A control and data transmission installation accord- 
ing to claim 1 or claim 2 characterised in that the 
safety-related device (80; 210) of each bus sub- 
scriber (30, 40, 50) and/or the master control device so 1 0. 
(20) has at least one input (92, 93) connected to a 
monitoring device (100, 102). wherein the safety- 
related device (80, 210) negates the output signal 

of the monitoring device (100, 102) and produces 
from the output signal and/or its negated output sig- ss 
nal an item of check information representing the 
safety-related data to be transmitted. 



A control and data transmission installation accord- 
ing to one of claims 1 to 3 characterised in that each 
bus subscriber (30, 40, 50) and/or the master con- 
trol device (20) has at least one output (72, 73) con- 
nected to a device (1 10, 120) to be safeguarded. 

A control and data transmission installation accord- 
ing to claim 4 characterised in that each output (72, 
73) is connected by way of a switch (170, 180) to 
the bus connecting device (70) and directly to the 
safety-related device (90) of the respective bus sub- 
scriber (30, 40, 50) and/or the master control device 
(20). 

A control and data transmission installation accord- 
ing to claim 5 characterised in that the safety- 
related device (80; 210) opens or closes the switch 
(170, 180) in response to the output signal of the 
corresponding monitoring device (100, 102). 

A control and data transmission installation accord- 
ing to one of claims 2 to 6 characterised in that the 
safety-related device (210) of the master control 
device (20) has a receiving device for receiving the 
safety-related data of each bus subscriber, an eval- 
uation device (220, 225) for evaluating the received 
safety-related data and a device (200. 230. 235, 
240) which, in response to the evaluated data, pro- 
duces new safety-related data which are intended 
for the respective bus subscriber (30, 40, 50) and 
which correspond to a predetermined safety func- 
tion. 

A control and data transmission installation accord- 
ing to claim 3 and claim 7 characterised in that the 
receiving device is adapted to receive the safety- 
related data, the negated data thereof and the 
check information, and that the producing device 
(200. 230, 235, 240) is adapted to produce the new 
safety-related data, the negated data thereof and a 
new item of check information. 

A control and data transmission installation accord- 
ing to one of claims 2 to 8 characterised in that the 
field bus (10) is an interbus in accordance with DIN 
19258 and the data frame is a sum frame (125) 
which contains the input or output data of each bus 
subscriber (30, 40, 50). 

A control and data transmission installation accord- 
ing to one of claims 1 to 9 characterised in that 
associated with the master control device (20) is a 
higher-order control unit (200) which triggers one or 
more predetermined safety functions in depend- 
ence on the safety-related data of the bus subscrib- 
ers (30, 40, 50). 

A process for the transmission of safety-related 
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data in a control and data transmission installation 
according to one of claims 1 to 10 which includes a 
serial field bus (10) and bus subscribers (30, 40, 
50) connected thereto as well as a master control 
device (20) connected thereto, including the follow- 5 
ing process steps: 

a) implementing a data transmission protocol 
and a safety protocol for carrying out predeter- 
mined, installation-specific safety functions in 10 
each bus subscriber and in the master control 
device; 

b) in response to the output signals of a moni- 
toring device associated with the bus sub- 
scriber the corresponding safety protocol is 
produces safety-related data which reflect the 
condition of the respective bus subscriber and 
transmits same to the data transmission proto- 
col; 

c) the data transmission protocol transmits the 20 
safety-related data of the respective bus sub- 
scriber in the useful data field of a predeter- 
mined data frame by way of the serial field bus 

to the master control device; 

d) the safety protocol of the master control 25 
device receives the safety-related data coming 
from the bus subscriber, produces in depend- 
ence thereon new safety-related data which 
correspond to a predetermined safety function, 
and transmits the new safety-related data in the 30 
useful data field of a data frame back to the cor- 
responding bus subscriber; and 

e) in response to the new safety-related data 
the safety protocol of the bus subscriber per- 
forms the associated safety function. 35 

12. A process according to claim 11 characterised in 
that in step b) the safety protocol negates the 
safety-related data and forms an item of check 
information from the safety-related data and/or the 40 
negated safety-related data and that in step d) from 

the received safety-related data and the negaged 
data thereof as well as the check information, there 
are produced new safety-related data, new negated 
safety-related data and a new item of check infor- 45 
mation. 

1 3. A process according to claim 1 1 or claim 12 charac- 
terised in that in each bus cycle the master control 
device transmits predetermined safety-related data so 
to the connected bus subscribers, that in depend- 
ence on their safety condition the bus subscribers 
produce safety-related data and send same back to 

the master control device which compares the emit- 
ted predetermined safety- related data to the safety- ss 
related data received from each bus subscriber and 
triggers predetermined safety functions if the result 
of the comparison is negative. 
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